[PATCH OLK-5.10 V5 1/5] ceph: drop private list from remove_session_caps_cb

From: Jeff Layton jlayton@kernel.org

mainline inclusion from mainline-v5.16-rc1 commit c35cac610a24f8b2e2d6f6535b7300d3bb2e5c29 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/I9R4KH CVE: CVE-2023-52732

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...

--------------------------------

This function does a lot of list-shuffling with cap flushes, all to avoid possibly freeing a slab allocation under spinlock (which is totally ok). Simplify the code by just detaching and freeing the cap flushes in place.

Signed-off-by: Jeff Layton jlayton@kernel.org Signed-off-by: Ilya Dryomov idryomov@gmail.com Signed-off-by: Zizhi Wo wozizhi@huawei.com --- fs/ceph/mds_client.c | 26 ++++++++++---------------- 1 file changed, 10 insertions(+), 16 deletions(-)

diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index df1ecb8bfebf..c7c6cde3faaa 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -1640,7 +1640,6 @@ static int remove_session_caps_cb(struct inode *inode, struct ceph_cap *cap, struct ceph_fs_client *fsc = (struct ceph_fs_client *)arg; struct ceph_mds_client *mdsc = fsc->mdsc; struct ceph_inode_info *ci = ceph_inode(inode); - LIST_HEAD(to_remove); bool dirty_dropped = false; bool invalidate = false; int capsnap_release = 0; @@ -1659,16 +1658,17 @@ static int remove_session_caps_cb(struct inode *inode, struct ceph_cap *cap, mapping_set_error(&inode->i_data, -EIO); }

+ spin_lock(&mdsc->cap_dirty_lock); + + /* trash all of the cap flushes for this inode */ while (!list_empty(&ci->i_cap_flush_list)) { cf = list_first_entry(&ci->i_cap_flush_list, struct ceph_cap_flush, i_list); - list_move(&cf->i_list, &to_remove); - } - - spin_lock(&mdsc->cap_dirty_lock); - - list_for_each_entry(cf, &to_remove, i_list) list_del_init(&cf->g_list); + list_del_init(&cf->i_list); + if (!cf->is_capsnap) + ceph_free_cap_flush(cf); + }

if (!list_empty(&ci->i_dirty_item)) { pr_warn_ratelimited( @@ -1711,22 +1711,16 @@ static int remove_session_caps_cb(struct inode *inode, struct ceph_cap *cap, }

if (!ci->i_dirty_caps && ci->i_prealloc_cap_flush) { - list_add(&ci->i_prealloc_cap_flush->i_list, &to_remove); + cf = ci->i_prealloc_cap_flush; ci->i_prealloc_cap_flush = NULL; + if (!cf->is_capsnap) + ceph_free_cap_flush(cf); }

if (!list_empty(&ci->i_cap_snaps)) capsnap_release = remove_capsnaps(mdsc, inode); } spin_unlock(&ci->i_ceph_lock); - while (!list_empty(&to_remove)) { - struct ceph_cap_flush *cf; - cf = list_first_entry(&to_remove, - struct ceph_cap_flush, i_list); - list_del_init(&cf->i_list); - if (!cf->is_capsnap) - ceph_free_cap_flush(cf); - }

wake_up_all(&ci->i_cap_wq); if (invalidate)